#!/bin/bash
PATH=/www/server/panel/pyenv/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH

py_v="/usr/bin/python"
pip_v="pip"
if [ -d "/www/server/panel/pyenv" ]; then
    py_v="/www/server/panel/pyenv/bin/python3"
    pip_v="/www/server/panel/pyenv/bin/pip3"
fi

mkdir /var/run/fail2ban
plugin_path="/www/server/panel/plugin/fail2ban"
fail2ban_ver="1.1.0"

installSystemLib(){
  if command -v apt-get >/dev/null 2>&1; then
    apt-get install libsystemd-dev pkg-config -y
  elif command -v yum >/dev/null 2>&1; then
    yum install systemd-devel pkgconfig -y
  fi
}

systemd_python="False"

# 优化后的 systemd-python 安装逻辑
install_systemd_python() {
    # 检查是否已安装 systemd-python
    if ! ${pip_v} show systemd-python >/dev/null 2>&1; then
        echo "Installing systemd-python..."
        # 安装系统依赖
        installSystemLib

        # 尝试安装 systemd-python
        if ${pip_v} install systemd-python; then
            systemd_python="True"
            echo "systemd-python installed successfully"
        else
            echo "Warning: Failed to install systemd-python, falling back to polling backend"
            # 可以在这里添加配置文件修改逻辑，将 backend 改为 polling
        fi
    else
        systemd_python="True"
        echo "systemd-python already installed"
    fi
}

new_install() {
    # 检测asynchat,
    if [ ! -f "/www/server/panel/pyenv/lib/python3.7/asynchat.py" ]; then
        if [ -f "/www/server/panel/pyenv/lib/python3.7/test/support/asynchat.py" ]; then
            \cp /www/server/panel/pyenv/lib/python3.7/test/support/asynchat.py /www/server/panel/pyenv/lib/python3.7/
        else
            ${pip_v} install pyasynchat
        fi
    fi
    install_systemd_python
    cp $plugin_path/fail2ban.tar.gz /tmp/fail2ban.tar.gz
    cd /tmp
    tar -zxf fail2ban.tar.gz
#    mv /tmp/fail2ban-${fail2ban_ver} /tmp/fail2ban
    cd /tmp/fail2ban
    rm -f /tmp/fail2ban.tar.gz
    ${py_v} setup.py install
    cp /tmp/fail2ban/files/debian-initd /etc/init.d/fail2ban
    if [ -L "/lib" ]; then
        # 获取软链接的目标路径
        lib_target=$(readlink -f "/lib")

        # 检查软链接的目标是否为 /usr/lib
        if [[ "$lib_target" == "/usr/lib" ]]; then
            systemd_path="/usr/lib/systemd/system"
        else
            systemd_path="/lib/systemd/system"
        fi
    else
        systemd_path="/lib/systemd/system"
    fi
    cp /tmp/fail2ban/build/fail2ban.service ${systemd_path}/fail2ban.service
    rm -rf /tmp/fail2ban
    rm -f /usr/bin/fail2ban-client
    rm -f /usr/bin/fail2ban-server
    if [ ${py_v} != "/usr/bin/python" ]; then
        ln -s /www/server/panel/pyenv/bin/fail2ban-server /usr/bin/fail2ban-server
        ln -s /www/server/panel/pyenv/bin/fail2ban-client /usr/bin/fail2ban-client
    else
        ln -s /usr/local/bin/fail2ban-server /usr/bin/fail2ban-server
        ln -s /usr/local/bin/fail2ban-client /usr/bin/fail2ban-client
    fi
}

Install_fail2ban() {
    mkdir -p $plugin_path/cdn
    cd /tmp
    if [ -f '/usr/bin/yum' ]; then
        yum install git -y
        yum install rsyslog -y
    else
        apt install git -y
        apt install rsyslog -y
    fi

    nohup systemctl stop fail2ban &
    if [ -f "/www/server/panel/pyenv/bin/fail2ban-client" ]; then
        nohup /www/server/panel/pyenv/bin/fail2ban-client stop &
    fi
    pkill -9 -f fail2ban
    ${pip_v} uninstall fail2ban -y
    new_install
    if [ ! -f "/usr/bin/fail2ban-client" ]; then
        new_install
    fi
    cd /tmp
    #修改sock和pid位置
    sed -i "s/pidfile\s=.*/pidfile = \/www\/server\/panel\/plugin\/fail2ban\/fail2ban\.pid/g" /etc/fail2ban/fail2ban.conf
    sed -i "s/socket\s=\s\/.*/socket = \/www\/server\/panel\/plugin\/fail2ban\/fail2ban\.sock/g" /etc/fail2ban/fail2ban.conf
    if [ "$systemd_python" == "False" ]; then
        echo "systemd backend is not available, using polling backend instead."
    fi

    if [ ! -f "/etc/fail2ban/jail.local" ]; then
        cp $plugin_path/jail.local /etc/fail2ban/jail.local
    fi

    #检查端口
    sshport=$(grep -v "#" /etc/ssh/sshd_config | grep "Port" | awk '{print $2}' | tr "\n" ",")
    sshport=${sshport%?}
    if [ "$sshport" = "" ]; then
        sshport="22"
        sed -i "s/port = 22/port = $sshport/g" /etc/fail2ban/jail.local
    else
        sed -i "s/port = 22/port = $sshport/g" /etc/fail2ban/jail.local
    fi
    ftpport="21"
    if [ -f "/www/server/pure-ftpd/etc/pure-ftpd.conf" ]; then
        ftpport=$(grep -v "#" /www/server/pure-ftpd/etc/pure-ftpd.conf | grep Bind | awk -F "," '{print $2}')
        if [ "$ftpport" = "" ]; then
            ftpport="21"
            sed -i "s/port = 21/port = $ftpport/g" /etc/fail2ban/jail.local
        else
            sed -i "s/port = 21/port = $ftpport/g" /etc/fail2ban/jail.local
        fi
    fi

    jsonconf="{\"sshd\": {\"maxretry\": 5, \"findtime\": 300, \"act\": \"true\", \"port\": \"$sshport\", \"dir\": \"\", \"bantime\": 86400},\"ftpd\": {\"maxretry\": 5, \"findtime\": 300, \"act\": \"true\", \"port\": $ftpport, \"dir\": \"\", \"bantime\": 86400}}"
    if [ ! -f "/www/server/panel/plugin/fail2ban/config.json" ]; then
        echo $jsonconf >$plugin_path/config.json
    fi

    #设置安全日志路径
    if [ -f "/var/log/auth.log" ]; then
        slp="\/var\/log\/auth.log"
        sed -i "s/\/var\/log\/secure/$slp/g" /etc/fail2ban/jail.local
    fi
    if [ -f "/var/log/secure" ]; then
        slp="\/var\/log\/secure"
        sed -i "s/\/var\/log\/auth.log/$slp/g" /etc/fail2ban/jail.local
    fi

    #使用UFW规则
    if [ ! -f "/etc/redhat-release" ]; then
        sed -i "s/banaction = firewallcmd-ipset/banaction = ufw/g" /etc/fail2ban/jail.local
    fi
    #设置messages日志
    grep -v "#" /etc/rsyslog.conf | grep "messages"
    if [ "$?" -ne 0 ]; then
        echo "*.info;mail.none;authpriv.none;cron.none                /var/log/messages" >>/etc/rsyslog.conf
        systemctl restart rsyslog
    fi
    #设置ubuntu系统日志
    if [ ! -f '/var/log/messages' ]; then
        if [ -f '/var/log/syslog' ]; then
            echo "Setting syslog..."
            sed -i "s/messages/syslog/g" /etc/fail2ban/jail.local
        fi
    fi
    #cd /tmp/
    systemctl restart rsyslog
    systemctl unmask fail2ban
    systemctl daemon-reload
    systemctl restart fail2ban
    systemctl enable fail2ban
    running_status=$(systemctl is-active fail2ban)
    if [ ! "${running_status}"=="active" ]; then
        /www/server/panel/pyenv/bin/fail2ban-client start
    fi
    echo 'Successify'
}

Uninstall_fail2ban() {
    systemctl stop fail2ban
    systemctl disable fail2ban
    fail2ban-client unban --all
    fail2ban-client stop
    pkill -9 -f fail2ban
    ${pip_v} uninstall fail2ban -y
    rm -rf /etc/fail2ban
    rm -f /etc/init.d/fail2ban
    rm -f /lib/systemd/system/fail2ban.service
    rm -rf /www/server/panel/plugin/fail2ban
    rm -f /usr/bin/fail2ban-client
    rm -f /usr/bin/fail2ban-server
    rm -f /var/log/fail2ban.log
    if [ -f '/usr/bin/yum' ]; then
        yum remove fail2ban* -y
    else
        apt remove fail2ban* -y
    fi

    echo 'Successify'
}

action=$1
if [ "${1}" == 'install' ]; then
    Install_fail2ban
#    echo '1' >/www/server/panel/data/reload.pl
else
    Uninstall_fail2ban
fi
